Privacy Policy
Last updated: 20 May 2026
This policy describes how we collect and process personal data through: (a) the arconerp.com website, (b) the Arcon ERP Mobile application for iOS and Android, and (c) the back-office web application at web.arconerp.com.
1. Data controller
Aristevin Consulting AB (Sweden) — publisher of Arcon ERP. For any question regarding the processing of your data: info@arconerp.com.
2. Data we collect
2.1 Website arconerp.com
- Contact form: name, email, phone (optional), business name (optional), message.
- Analytics: via Simple Analytics — anonymous, no cookies, no fingerprinting, honoring Do-Not-Track.
2.2 Arcon ERP Mobile app
- Account: email, username, tenant/store identifier, role. Provisioned by your employer/customer.
- Login credentials: the session token is stored encrypted in the device Keychain (iOS) / Keystore (Android) via
expo-secure-store. Your password is not retained by the app after sign-in. - Biometrics: if you enable biometric unlock (Face ID / Touch ID / fingerprint), processing happens locally on your device. Biometric data never leaves the device and is never transmitted to our servers.
- Camera — barcode scanning: the camera feed is processed locally to read barcodes. Frames are not stored, not transmitted, and not used for any other purpose. On Android the
RECORD_AUDIOpermission is requested together with camera due to a React Native dependency — we do not record audio. - Operational data: documents, stock-takes, goods receptions, and other actions you perform as an ERP user are sent to our API (api.arconerp.com).
- Over-the-air updates: via Expo Updates, the app requests the latest published bundle at launch. The request includes platform (iOS/Android), app version and runtime version — no personal data.
We currently do not use any analytics SDK (Firebase, Sentry, Mixpanel, Amplitude, etc.) in the mobile app, nor advertising identifiers (IDFA / AAID). We do not collect location.
2.3 Planned future features
- Privacy-friendly product analytics: to understand crashes and improve quality. Before enabling, this policy will be updated in advance and the provider will be named.
- Push notifications: for task alerts (e.g. new goods reception). Explicit OS-level consent will be requested.
3. Purposes & legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the ERP service | Contract — 6(1)(b) |
| Answering contact-form enquiries | Legitimate interest — 6(1)(f) |
| Tax obligations (myDATA) | Legal obligation — 6(1)(c) |
| Security & audit logging | Legitimate interest — 6(1)(f) |
| Website analytics | Legitimate interest — 6(1)(f) (anonymous, no cookies) |
4. Recipients & sub-processors
- Microsoft Azure — API and database (PostgreSQL) hosting. EU region.
- Expo (Expo Application Services) — OTA update distribution for the mobile app. USA.
- Apple App Store & Google Play — app distribution. USA.
- Resend — contact-form email delivery. USA.
- Simple Analytics — website analytics. Netherlands (EU).
For transfers outside the EEA we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
5. Retention
- Contact-form messages: up to 24 months after the last interaction.
- Account data: for the duration of the commercial relationship. Deleted within 90 days of contract termination, unless tax/accounting law requires longer retention (typically up to 10 years for invoices).
- Audit log: 7 years (accounting cycle).
- Website analytics: aggregated, non-attributable.
6. Your rights
Under the GDPR you have the right to: access, rectification, erasure, restriction, data portability, objection, and to withdraw any consent you have given at any time.
To exercise your rights: use the form at /en/data-deletion (deletion and other GDPR requests). We respond within 30 days.
You may also lodge a complaint with the Hellenic Data Protection Authority (Greece — dpa.gr) or the Swedish Authority for Privacy Protection (IMY) (imy.se).
7. Security
All communication with our servers uses TLS 1.2+. Session tokens are stored in the device Keychain (iOS) or Keystore (Android). Database access is restricted to authorised personnel over encrypted channels. User passwords are hashed (Argon2/BCrypt).
8. Children
Arcon ERP is intended for businesses. We do not knowingly collect personal data from minors under the age of 16.
9. Changes to this policy
Material changes will be announced in the app or by email before they take effect. The "Last updated" date at the top reflects the current revision.
10. Contact
Aristevin Consulting AB · info@arconerp.com